Ransomware Negotiator Angelo Martino Pleads Guilty to BlackCat Scheme

Angelo Martino, a 41-year-old former ransomware negotiator from Land O’Lakes, Florida, pleaded guilty Monday to helping the BlackCat/ALPHV ransomware gang extort companies while ostensibly working to protect victims. The U.S. Justice Department announced that Martino admitted to feeding confidential information to cybercriminals in five separate incidents starting in April 2023.

Martino worked for cybersecurity firm DigitalMint when he began secretly collaborating with BlackCat operators. According to TechCrunch, he provided the ransomware gang with victims’ insurance policy limits and negotiation strategies to maximize criminal payouts, taking a cut of the proceeds for himself.

Third Security Professional Caught in BlackCat Scheme

Martino becomes the third ransomware negotiator prosecuted for the same scheme within the past year. The Hacker News reported that prosecutors previously charged Kevin Tyler Martin, another DigitalMint employee, and Ryan Clifford Goldberg, a former incident response manager at cybersecurity giant Sygnia, for similar betrayals.

BlackCat/ALPHV operated as a ransomware-as-a-service (RaaS) platform, developing file-locking malware while contractors deployed it in attacks and shared ransom profits with the developers. The scheme exploited the trust victims placed in their cybersecurity advisors during crisis situations.

“Angelo Martino’s clients trusted him to respond to ransomware threats and help thwart and remedy them on behalf of victims,” said Assistant Attorney General A. Tysen Duva in the Justice Department press release. “Instead, he betrayed them and began launching ransomware attacks himself by assisting cyber criminals.”

The Gentlemen Gang Emerges as Major Threat

While established groups like BlackCat face law enforcement pressure, new ransomware operations continue emerging. Dark Reading reported that a group called “The Gentlemen” has rapidly scaled operations since appearing in mid-2025, claiming hundreds of victims in just months.

The Gentlemen operates sophisticated double extortion attacks using both encryption and data theft as leverage. Check Point Research identified the gang’s use of SystemBC malware, described as “proxy malware frequently leveraged in human-operated ransomware operations for covert tunneling and payload delivery.”

Check Point’s analysis revealed a botnet of more than 1,570 victims connected to SystemBC’s command and control servers. The infection profile suggests “a focus on corporate and organizational environments rather than opportunistic consumer targeting,” according to researchers.

Ransomware Groups Show Continued Sophistication

Comparitech researchers found The Gentlemen claimed 202 attacks last quarter, ranking second only to Qilin’s 353 claims. NCC Group tracked 34 attacks by The Gentlemen in January and 67 in February, demonstrating rapid operational scaling.

The group employs advanced tactics including antivirus killers and complex infection chains. This sophistication reflects the broader ransomware ecosystem’s evolution toward more targeted, professional operations rather than opportunistic mass attacks.

Ransomware-as-a-service models like those used by BlackCat and The Gentlemen allow specialized criminal groups to focus on different aspects of attacks – from initial access to negotiation – creating more efficient and dangerous operations.

Email Attacks Shift to Behavioral Exploitation

Cybercriminals are increasingly abandoning technical exploits in favor of social engineering tactics that exploit trusted relationships. Abnormal AI’s 2026 Attack Landscape Report analyzed nearly 800,000 email attacks across more than 4,600 organizations, revealing attackers’ behavioral focus.

Phishing remains the dominant attack method at 58% of incidents, while business email compromise (BEC) accounts for 11%. Vendor email compromise, a BEC subtype, represents more than 60% of all BEC attacks. More than 20% of phishing attacks now use redirect chains to obscure malicious pages from security tools.

Attackers tailor file-sharing lures to industries where document exchange is common and align brand impersonation with targets’ software environments. “The same structures, workflows, and relationships that define how an organization operates also define where an attack can blend in undetected,” the report states.

What This Means

The Martino case exposes a critical vulnerability in the cybersecurity industry: insider threats within incident response teams. When negotiators secretly work for attackers, victims face inflated ransom demands and compromised recovery strategies. Organizations must implement stronger vetting and monitoring of third-party security providers.

The rapid rise of groups like The Gentlemen demonstrates ransomware’s persistent evolution despite law enforcement successes against established gangs. New operations quickly fill market gaps with sophisticated tools and targeted approaches, maintaining pressure on corporate victims.

The shift toward behavioral exploitation in email attacks requires updated security awareness training. Traditional phishing indicators like poor grammar are becoming obsolete as attackers create highly convincing messages that exploit organizational workflows and trusted relationships.

FAQ

How did Angelo Martino help ransomware attackers while working as a negotiator?
Martino secretly provided BlackCat ransomware operators with confidential information including victims’ insurance policy limits and negotiation strategies. This allowed criminals to maximize ransom demands while Martino took a cut of the increased payments.

What makes The Gentlemen ransomware group particularly dangerous?
The Gentlemen has rapidly scaled to claim hundreds of victims since mid-2025 using sophisticated tactics including SystemBC proxy malware, antivirus killers, and complex infection chains. Their focus on corporate targets rather than consumers makes them especially threatening to businesses.

How are modern email attacks different from traditional phishing?
Modern attackers create highly targeted messages that exploit trusted relationships and routine workflows rather than relying on obvious technical flaws. They use redirect chains to hide malicious content and tailor lures to specific industries and roles, making detection much more difficult.